Nuclear Regulatory Commission Computer Security Office CSO Office Instruction

Transcription

1 Nuclear Regulatory Commission Computer Security Office CSO Office Instruction Office Instruction: Office Instruction Title: CSO-PLAN-0100 Enterprise Risk Management Program Plan Revision Number: 1.0 Effective Date: October 25, 2013 Primary Contacts: Responsible Organization: Summary of Changes: Training: ADAMS Accession No.: Kathy Lyons-Burke, SITSO CSO/PST CSO-PLAN-0100, Enterprise Risk Management Program Plan, provides the high-level plan to implement and maintain an NRC Cyber Security Enterprise Risk Management Program. As needed ML13266A290 Concurrences Primary Office Owner Policy, Standards, and Training Responsible SITSO Kathy Lyons-Burke Date of Concurrence Directors CSO Tom Rich /RA/ 07-Oct-13 PST Kathy Lyons-Burke /RA/ 07-Oct-13 FCOT Kathy Lyons-Burke /RA/ 07-Oct-13 CSA Thorne Graham /RA/ 07-Oct-13 Concurrence Meeting Conducted on 07-Oct-13 Attendees: Thomas Rich Jon Feibus Kathy Lyons-Burke

2 U.S. Nuclear Regulatory Commission NRC Enterprise Risk Management (ERM) Program Plan Version 1.0 October 7, 2013

3 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page ii Contents 1 Introduction Purpose Scope Relationship to Other Cyber Security Risk Activities Approach Develop an ERMP Communication Plan Develop an ERM Blueprint Execute ERM Implementation Phases References Program Overview Overall Goal and Objectives Phase 1: Agency-wide Cyber Security Oversight Activities Phase 2: IT Infrastructure Implementations Phase 3: Regional Implementations Phase 4: Remaining NRC Cyber Risk Related Activities Work Breakdown Structure Program Deliverables Program Organization Program Roles and Responsibilities Stakeholders... 9 Appendix A Acronyms... 12

4 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 1 1 INTRODUCTION This plan explains how the Computer Security Office (CSO) plans to implement the Enterprise Risk Management (ERM) Program at the Nuclear Regulatory Commission (NRC) such that the program complies with National Institute of Standards and Technology (NIST) Special Publication (SP) , Managing Information Security Risk, Organization, Mission, and Information System View. 1.1 Purpose The purpose of the ERM Program (ERMP) is to enable the agency to manage enterprise cyber security risk more effectively. The ERMP addresses the use of NRC cyber systems and cyber relevant assets from a risk management perspective, ensuring the safe, reliable, and costeffective use of cyber throughout the agency to achieve mission objectives. 1.2 Scope The ERMP addresses all risk management capabilities and responsibilities related to cyber systems and cyber-relevant capabilities within NRC. Capabilities may include, but are not limited to, policies, processes, procedures, technologies, standards, and training. Initially, the ERMP efforts focus on agency-wide cyber security oversight activities, with the intent of achieving cost-effective and efficient reduction of risk to the NRC. The ERMP effort then gradually expands to address the next greatest area of risk, until all aspects of cyber security risk at NRC have been addressed. 1.3 Relationship to Other Cyber Security Risk Activities The ERMP examines all existing cyber security risk activities for improvements and ensures that NRC effectively employs cyber risk capabilities such as system authorization, continuous monitoring, the cyber risk dashboard, the business area risk assessments, and continuous diagnostics and mitigation activities. 1.4 Approach A blueprint detailing the individual elements of a NIST compliant ERM Program will be developed. The blueprint will be used and refined as each phase of the ERM Program implementation is executed Develop an ERMP Communication Plan A communication plan outlining methods that will be used to communicate implementation of ERM capabilities and changes to existing process, procedures, etc. will be developed. Methods that will be used for communication include, but are not limited to the following: Designated Approving Authority (DAA) briefings IPEC briefings Information Technology (IT) Architecture Council briefings One-page summaries for office directors ISSO Forum briefings CSO web page and SharePoint postings

5 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page Develop an ERM Blueprint An ERM Blueprint will be developed, as described in Section 2.7 Program Deliverables. Initially, the blueprint will identify high-level elements of the ERM Program; as each phase is executed, additional details will be provided based on lessons learned and information obtained during execution of previous phases. The objective of the blueprint is to show how individual elements of the program support other elements, and ultimately, to define the target state of the ERM Program. The blueprint will provide context to ERM stakeholders and program practitioners for key program activities Execute ERM Implementation Phases CSO will implement the ERM Program in four iterative phases. Each phase will build on the previous phase, adding appropriate representatives and applying lessons learned as the program is implemented throughout the agency. The first four phases of the ERM Program will be implemented as follows: Phase 1: Agency-wide Cyber Security Oversight Activities Phase 2: IT Infrastructure Implementations Phase 3: Regional Implementations Phase 4: Remaining NRC Cyber Risk Related Activities The following activities will be conducted during each of the four implementation phases: Expand the ERM Blueprint: Expand the ERM Blueprint to provide details concerning program implementation for each phase. As details are provided for each phase, the ERM Blueprint will increasingly describe the target state of the ERM Program. This activity results in a report that identifies the ERM elements that must exist within the NRC to achieve an effective and compliant risk management program. An iterative version of the report is produced after each phase. Document the ERM Baseline and Assess Gaps: Evaluate current risk management capabilities for each activity during each phase. Determine the degree to which existing capabilities already satisfy those required in the ERM Blueprint, and identify any gaps that remain. This results in a report that identifies the baseline and the gaps between the baseline and the blueprint. Within each phase, a report is produced identifying the baseline first, and then the report is augmented to identify the gaps. Develop ERM Program Portfolio: Develop a portfolio of programs and alternatives to be used to address the identified gaps; prioritize the programs and alternatives, sequence them for dependencies, and present them to senior leadership for approval. The ERM Program Portfolio is comprised of discrete programs during which tasks are completed for the purpose of implementing CSO approved recommendations identified in the ERM Gap Analysis Report. The programs are defined and sequenced so that as any one is completed it provides benefit to the agency and that cumulative benefit is achieved as related programs are completed. Address Gaps: As programs and alternatives are approved by senior leadership, coordinate and oversee the execution of each program or alternative to ensure that each objective is accomplished (i.e., gap is closed) within the planned timeframes.

6 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 3 Plan Next Phase: Planning for the next phase (e.g., developing program plans and scheduling required activities) will take place concurrent with gap closure. After Phase 4 is complete, the ERM Program will enter a fifth phase during which the mechanisms for long-term maintenance and continuous improvement of the program will be established. Once established, this program is complete and the ERMP transitions to ongoing maintenance. 1.5 References At a minimum, the following resources will be used when developing the ERMP: NIST SP (Revision 1) Guide for Developing Security Plans for Federal Information Systems, February 2006 NIST SP (Revision 1) Guide for Conducting Risk Assessments, September 2012 NIST SP (Revision 1) Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010 NIST SP Managing Information Security Risk Organization, Mission, and Information System View, March 2011 NIST SP (Revision 4) Recommended Security Controls for Federal Information Systems and Organizations, May 2013 NIST SP A (Revision 1) Guide for Assessing the Security Controls in Federal Information Systems and Organizations, June 2010 NIST SP (Revision 1) Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008 NIS SP (Revision 2) National Checklist Program for IT Products Guidelines for Checklist Users and Developers, February 2011 FIPS PUB-199 Standards for Security Categorization of Federal Information and Information Systems, February 2004 FIPS PUB-200 Minimum Security Requirements for Federal Information and Information Systems, March 2006 The following resources may also be used when relevant and appropriate: ISO-31000:2009 Risk Management Principles and Guidelines DHS Risk Lexicon, 2010 Edition, September 2010 Risk Management Fundamentals, Homeland Security Risk management Doctrine, April PROGRAM OVERVIEW This section provides an overview of CSO s ERMP.

7 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page Overall Goal and Objectives The primary goal of the NRC ERMP is to enable more consistent, complete, agile, and costeffective risk management practices throughout the agency by unifying and standardizing risk management activities related to cyber systems and cyber-relevant capabilities. Objectives include: Ensuring that the organization s risk management capabilities are repeatable and effectively used throughout the agency s information systems; Fostering an organizational climate where information security risks are considered within the context of the agency s mission and business processes; Guiding individuals responsible for deployment and maintenance of cyber systems to better understand how information security risk can impact them, their systems, other systems, and the agency as a whole; and, Identifying and implementing processes that allow for consistent feedback and continuous improvement of the ERMP. 2.2 Phase 1: Agency-wide Cyber Security Oversight Activities The goal of the first phase is to identify the ERM cyber security oversight capabilities that can maximize the value of the ERMP as a whole. The ERM Team will identify and implement the risk management capabilities that may require the least effort with maximum risk management benefits to the agency. Implementation of these capabilities will demonstrate the value of the ERMP throughout the agency. The ERM Team will also focus on high priority activities, including: Development of formal, agency-specific mission impact definitions; Development of refined security categorization definitions and guidance; Development of enhanced CSO processes, procedures, and templates, to include: - Identifying those that do not exist. - Identifying those that need to be revised. - Developing processes, procedures and templates that support efficient execution of cyber security tasks. Identification of standards, processes, procedures, and templates that should be removed; Identification of high impact risks that can be resolved with the least amount of effort (using data available within CSO); Identification of more streamlined user friendly capabilities that better enable staff to complete cyber security tasks; Identification through an analysis of aggregated Plans of Actions and Milestones (POA&M) of patterns and trends, including those that result in the greatest agency risk; Identification through an analysis of aggregated risk assessments of patterns and trends, including those that result in the greatest agency risk; Identification of improvements in cyber security control implementation;

8 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 5 Identification of additional functionality that could be incorporated into existing tools to more efficiently execute cyber security tasks; Establishing processes to ensure increased consistency during cyber security testing, tool usage, and tool-configuration settings; Supporting increased automation for security control assessment on an ongoing basis to reduce the manual burden and to enable increased assessment frequency; Developing a more comprehensive set of standardized system security requirements; and, Increasing efficiency by linking the standardized system security requirements to the standardized controls. 2.3 Phase 2: IT Infrastructure Implementations The goal of the second phase is to identify the ERM capabilities that can be implemented within IT infrastructure activities and operations with the intent to reduce cyber security risk. The ERM Team will incorporate IT infrastructure representatives and will order the infrastructure implementation risk management capabilities that require the least effort with maximum risk management benefits to the agency to those with the lowest cost-benefit ratio. IT infrastructure staff will implement the most advantageous capabilities in collaboration with CSO. 2.4 Phase 3: Regional Implementations The goal of the third phase is to identify the ERM capabilities that can be implemented within regional activities and operations with the intent to reduce cyber security risk. The ERM Team will incorporate regional representatives and will order the regional implementation risk management capabilities that require the least effort with maximum risk management benefits to the agency to those with the lowest cost-benefit ratio. Regional staff will implement the most advantageous capabilities in collaboration with CSO. 2.5 Phase 4: Remaining NRC Cyber Risk Related Activities The goal of the last phase is to identify the ERM capabilities that can be implemented within cyber security relevant activities across all part of NRC with the intent to reduce cyber security risk. The ERM Team will incorporate cross-agency representatives and will order the implementation risk management capabilities that require the least effort with maximum risk management benefits to the agency to those with the lowest cost-benefit ratio. Approproate staff will implement the most advantageous capabilities in collaboration with CSO. 2.6 Work Breakdown Structure This section provides an overview of the key tasks involved in implementing the ERM program. Planning and Preparation 1. Develop ERM Plan a. Develop the initial ERM Plan. b. Conduct an internal CSO review of the plan. c. Obtain approval of the initial ERM Plan from the Policy, Standards, and Training (PST) Senior IT Security Officer (SITSO) and the Chief Information Security Officer (CISO).

9 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 6 2. Finalize ERM Blueprint a. Complete the initial ERM Blueprint using NIST SP Managing Information Security Risk: Organization, Mission and Information System View, March 2011 as the primary resource. b. Conduct an internal CSO review of the blueprint. c. Obtain approval of the initial ERM Blueprint from the PST SITSO and the CISO. Phase 1: Agency-wide Cyber Security Oversight Activities 1. Update the ERM Blueprint with CSO specific elements a. Identify the CSO-specific elements of the ERM Blueprint that must be evaluated to address ERM within the CSO. b. Describe each element and define requirements specific to the CSO that must be met to fully satisfy the element. c. Facilitate a CSO review of the defined elements. d. Finalize the CSO-elaborated version of the ERM Blueprint. 2. Document the Baseline and Assess Gaps for CSO a. Gather information already available to the contractor, and conduct interviews with the contractor s team to identify the current ERM baseline for CSO. b. Assess the CSO baseline against the requirements defined for each CSO specific element identified in the ERM Blueprint. i. Identify the degree to which the ERM Blueprint requirements are already satisfied by the CSO baseline, and identify any gaps that remain. ii. Provide options and recommendations for addressing and remediating the gaps. c. Facilitate a CSO review of the gap analysis. 3. Develop an ERM Program Portfolio for CSO a. Sequence and prioritize the CSO gap remediation recommendations, and identify them as short-, mid-, or long-term efforts. b. Establish a portfolio of discrete programs defined to implement the CSO approved recommendations. For each program: i. Estimate timeframes. ii. Identify tasks and dependencies. iii. Identify CSO staff that may be required to perform the task. c. Facilitate a CSO review. d. Formalize each program. e. Obtain approval to execute the program. 4. Execute the CSO ERM programs to address gaps a. Monitor and coordinate efforts throughout the program portfolio. For each program:

10 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 7 i. Engage the appropriate CSO leads. ii. Identify a program lead and practitioners. iii. Facilitate a kick-off meeting. iv. Conduct periodic program status reviews. v. Monitor schedule, budget, and outcomes. vi. Ensure consistency throughout the program portfolio. 5. Plan Phase 2: IT Infrastructure Implementations a. Revise the ERM Plan for implementation throughout IT Infrastructure Implementations. i. Consider lessons learned during Phase 1. ii. Update the program schedule. b. Facilitate a CSO review. c. Engage OIS and coordinate the activities required for Phase 2. Phase 2: IT Infrastructure Implementations 1. Update the ERM Blueprint with OIS specific elements. 2. Document the OIS baseline and conduct a gap analysis of the OIS portion of the target state defined by the ERM Blueprint. 3. Develop an ERM Program Portfolio for OIS. 4. Execute the OIS ERM programs to address gaps. 5. Plan Phase 3: Regional Implementations. Phase 3: Regional Implementations 1. Update the ERM Blueprint with Region specific elements. 2. Document the baseline for the NRC Regions and conduct a gap analysis of the Regionbased portion of the target state defined by the ERM Blueprint. 3. Develop an ERM Program Portfolio for the NRC Regions. 4. Execute the Regional ERM programs to address gaps. 5. Plan Phase 4: ERM Implementation for the Remaining NRC Cyber Risk Related Activities. Phase 4: Remaining NRC Cyber Risk Related Activities 1. Update the ERM Blueprint with organization specific elements. 2. Document the baseline for the NRC regions and conduct a gap analysis of each organization s portion of the target state defined by the ERM Blueprint. 3. Develop an ERM Program Portfolio for the organizations.

11 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 8 4. Execute the organizational ERM programs to address gaps. Phase 5: ERM Planning and Maintenance Phase 1. Finalize all ERM Program documentation. 2. Plan for ongoing maintenance and continuous improvement of the ERMP. ERM Ongoing Maintenance and Continuous Improvement 1. Identify long-term custodian(s) for the ERMP. 2. Develop and/or refine business processes to ensure continuous improvement of ERM. 3. Implement the processes and/or process changes. 2.7 Program Deliverables Table 1 lists the ERM Program deliverables. Table 1: ERM Program Deliverables Deliverable ERM Program Plan Initial ERM Program Plan: November 29, 2013 Target Delivery Date Phase 2-4 ERM Program Plan Updates: TBD ERM Communication Plan Initial ERM Communication Plan: December 16, 2013 ERM Blueprint Phase 2-4 ERM Program Plan Updates: TBD Initial ERM Blueprint: January 30, 2014 Phase 1 ERM Blueprint: March 28, 2014 Phase 2-4 ERM Program Plan Updates: TBD ERM Baseline Portion of Gap Analysis Report Phase 1 ERM Baseline Report: February 28, 2014 ERM Gap Analysis Report Phase 2-4 ERM Baseline: TBD CSO specific Results and Recommendations: March 17, 2014

12 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 9 Table 1: ERM Program Deliverables Deliverable ERM Program Portfolio Target Delivery Date Phase 2-4 ERM Program Plan Updates: TBD CSO specific Program Portfolio: April 30, 2014 Phase 2-4 ERM Program Plan Updates: TBD 3 PROGRAM ORGANIZATION This section defines the ERM roles, responsibilities, and stakeholders for Phase 1 of the ERM Program. Roles, responsibilities, and stakeholders will be reviewed and revised as needed during each phase of program implementation. 3.1 Program Roles and Responsibilities Table 2 lists the roles and responsibilities for Phase 1 of the ERM Program. Table 2: ERM Program Roles and Responsibilities CISO Roles PST SITSO ERM Project Team Leader Technical Program Manager CSO Members CSO Support Contractor Program Responsibilities Provides executive leadership of the ERMP and acts as the ERMP champion. The PST SITSO oversees the ERMP; approves ERM-related plans, processes, and procedures; and supports senior management stakeholder activities. The ERM Team Project Leader leads the ERMP implementation; tracks and provides oversight and support for ERM-related activities; reviews ERM-related plans, processes, and procedures; and supports senior management stakeholder activities. Establishes and implements program plan, with the goal of keeping the program on schedule and within budget, and notifies the ERM Team Leader of any schedule or budget concerns. The Technical Program Manager also communicates business and technical requirements, tasks, and deliverables to the CSO Support Contractor; provides budget updates and requests to the ERM Team Leader; reviews contractor deliverables; provides comment prior to submitting to CSO senior management for review and approval; and supports technical staff stakeholder activities. Support the Technical Program Manager with requirements identification, ERM related process and procedure updates, gap analysis, and review of contractor deliverables. Also supports technical staff stakeholder activities. Supports the Technical Program Manager with requirements identification, ERM related process and procedure updates, and gap analysis. 3.2 Stakeholders Stakeholders for Phase 1 of the ERM Program are the DAA, Chief Information Officer (CIO), CISO, CSO, and system owners.

13 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 10 Stakeholders for subsequent phases will be identified in this plan as each phase takes place, and will include OIS, System Owners (SOs), the DAA, and agency Lines of Businesses (LOB).

14 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 11 CSO Enterprise Risk Management Program Plan Change History Date Version Description of Changes Method Used to Announce & Distribute Training 06-Nov Initial issuance Posting on CSO web page Upon request

15 CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 12 Appendix A Acronyms Term CIO CISO CSO DAA ERM ERMP IPEC IT LOB NRC OIS POA&M PST SITSO SO Definition Chief Information Officer Chief Information Security Officer Computer Security Office Designated Approving Authority Enterprise Risk Management Enterprise Risk Management Program IT/IM Portfolio Executive Council Information Technology Line of Business Nuclear Regulatory Commission Office of Information Services Plan of Action and Milestones Policy, Standards & Training Senior Information Technology Security Officer System Owners